Agents need actions, not a raw connector
The useful MCP surface is a small set of approved actions with known arguments, relationships, write paths, and failure modes.
Open Salesforce to agents, integrations, and custom front ends.
Your Salesforce org already holds the data, rules, and admin decisions your business runs on. Headless 360 makes them reachable without the UI while Salesforce still governs identity, permissions, approvals, validation, and audit.
Objects, workflow, validation, sharing, approvals, audit.
Scoped identity, tool allowlists, schemas, traces, policy.
Slack, Teams, internal apps, voice, mobile, agent workspaces.
Approved software clients can call Salesforce. The work is making that path small, named, and governed enough for production.
Salesforce Headless 360 makes records, metadata, logic, and actions reachable to approved clients without making the browser the only interface.
The admin layer travels farther. Objects, flows, field security, approvals, and sharing now govern work that may start in agents, Slack, portals, or internal apps.
Pick one workflow, choose the identity shape, expose only named actions, and define how each write is approved, validated, and traced.
A browser page is one work surface. Agents and internal apps need the same underlying contract: identity, scope, validation, approval, and trace.
Record pages help humans work, but required behavior has to be enforceable below the page.
Required fields, validation, sharing, approvals, and automation have to live below the screen.
Any approved surface can act through the same identity, validation, approval, and trace path.
Software clients are becoming normal users of business systems. CRM teams need to decide which parts of Salesforce are safe to expose before every new agent or app invents its own path.
Salesforce Headless 360 puts a name on a shift many teams already feel: the next Salesforce interaction may come from an agent, collaboration tool, voice flow, custom portal, or partner system.
The practical question is whether those clients get a clear set of named Salesforce actions, or whether each team builds another integration that recreates permissions, validation, approval logic, and audit outside the org.
The useful MCP surface is a small set of approved actions with known arguments, relationships, write paths, and failure modes.
A service account, named persona, and end-user OAuth path expose different blast radii. Permission scope is architecture, not setup detail.
Headless work needs pre-launch tests, explicit behavior rules, session evidence, and a way to improve the contract after real use.
Start where Salesforce is already costing time, adoption, or trust.
A transcript becomes field updates, follow-up tasks, and a next-step summary without asking the seller to reopen the opportunity screen.
The agent prepares account health, open risks, support context, approval history, and suggested next actions before the meeting starts.
Internal apps and agent workspaces call the same scoped actions instead of recreating permissions, validation, and trace logic.
Hosted MCP, External Client Apps, and curated tools give clients like Claude, ChatGPT, Codex, Gemini, and custom agent harnesses a small set of actions they can understand, call, and trace.
Objects, sharing, validation, automation, approvals, and audit history stay inside the platform that already owns the business state.
A custom-hosted MCP surface should publish allowed tools with clear descriptions, known arguments, and bounded write paths.
The interaction layer can move to Slack, voice, internal apps, or agent workspaces while user shape, permission scope, and platform rules still apply.
A production path needs to show which identity acted, which tool ran, what rule fired, what record changed, and how the agent behaved.
A source assessment should find these clauses in metadata, policy, automation, and integration code, then state what the evidence proves and what it cannot prove yet.
Every agent or app call maps to an approved service account, named persona, or end-user OAuth path with explicit permission scope.
The contract names the tools, describes their intent, limits arguments, and keeps broad object access out of the agent path.
Validation, approval, sharing, and automation remain enforceable when work starts from Slack, an agent workspace, or an internal app.
When confidence, authority, or data quality falls below threshold, the workflow asks a human before the write completes.
A production headless path records who acted, which tool ran, what rule fired, what changed, and what the agent session proved.
In many architectures, an external LLM agent coordinates across systems. Salesforce governs CRM-owned state, while ERP, finance, project, field, and messaging systems stay authoritative for their own domains.
The agent calls approved actions instead of guessing object names, relationships, or write paths.
Approved clients
Named tools
Governed state
Sensitive writes
A rep approves account, opportunity, and task changes before Salesforce writes.
Approval card
Evidence
CRM state
Exception path
The agent gathers context. Salesforce governs only the CRM-owned commercial state.
Ledger
Invoice state
Commercial context
Commitments
Delivery signals inform account commitments without moving the whole project into CRM.
Budget
Delivery work
Commercial terms
Burn
A mobile or voice layer can act while Salesforce governs work order state.
Technician UX
Parts + ETA
Work order
Repair guidance
The agent traces quote, contract, order, entitlement, and billing state before proposing a fix.
Quote state
Signed terms
Order + invoice
Corrections
The hard part is user shape, tool shape, and operating proof: who can act, what they can call, which platform rules fire, and how the team can inspect it later.
Required fields, read-only behavior, and client validation can block humans while agents write directly through APIs and tools.
Move critical rules into platform enforcement.A custom wrapper may move data while recreating permissions, workflow, validation, and audit outside the platform.
Inherit platform governance instead of rebuilding it.Service accounts, named personas, and end-user OAuth paths inherit different access, sharing, and field scope.
Choose the user model before exposing tools.Generic access asks the model to infer object names, relationships, and write paths during live work.
Publish named actions before production.A headless path needs tests, session traces, and evidence of which identity acted, which tool ran, and what changed.
Make evals and trace part of launch.Replay the same work through a broad integration path and through a governed contract. The difference is where identity, validation, approval, and trace execute.
Call transcript suggests opportunity update.
Agent writes through the wrong user shape because the screen was the only place missing fields were checked.
Agent proposes an update through a scoped tool, then platform validation asks for the missing renewal date.
Discount field changes.
API write bypasses a UI-only approval prompt, so the record looks valid until revenue operations finds it later.
Approval rule runs in Salesforce, pauses the action, and routes the proposed discount to the named approver.
Case risk gets linked to the renewal.
A wrapper recreates sharing logic incorrectly and exposes account context to the wrong team.
The call inherits Salesforce sharing and field security before the tool can read or write the related record.
Manager asks what changed.
The team can see the final values, but not which identity acted, which tool ran, or why the write succeeded.
The trace shows identity, tool call, validation result, approval state, changed fields, and session evidence from the start.
These questions separate abstract interest from implementation readiness.
Can an approved agent read and write Salesforce data through a governed path?
Proof: Hosted MCP server, External Client App, scoped user or OAuth path.Has one surface outside Salesforce used that path against live org data?
Proof: an MCP call from an agent workspace, Slack, or an internal app, with trace.This machine-readable block keeps page claims, source anchors, and structured metadata aligned without adding a visible section for human readers.
The POV section defines Salesforce Headless 360 as approved clients reaching Salesforce records, metadata, logic, and actions while Salesforce remains the governing platform.
Page evidenceThe interface shift section explains that the next CRM interaction may come from a browser, approved agent, workflow queue, or custom internal tool.
Page evidenceThe contract rail lists platform authority, named tools, governed identity, and evidence for actions and sessions.
Page evidenceThe use-case architecture carousel shows an external LLM agent hub coordinating Salesforce with finance, project, field, messaging, ERP, and billing systems while Salesforce governs CRM-owned state.
Page evidenceThe evidence packet, sitemap entry, llms surfaces, canonical metadata, source anchors, and JSON-LD make the POV readable without gating the core content.
Page evidenceThe replay section shows how wrong user shape, UI-only checks, custom sharing logic, and missing session evidence create risk when work moves beyond the browser.
Page evidenceAdditional context:Aquiva TDX 2026 analysis
Share one Salesforce source repo, metadata export, workflow, or business domain after the commercial and authorization path is clear. Aquiva will inspect the selected surface plus its dependencies, auth boundary, and authority context, then recommend the first workflow to prove.